diff --git a/.github/scripts/update_sdk_version.sh b/.github/scripts/update_sdk_version.sh
index 0e5726ecca..909973b10c 100755
--- a/.github/scripts/update_sdk_version.sh
+++ b/.github/scripts/update_sdk_version.sh
@@ -12,6 +12,9 @@ mvn versions:set -DnewVersion=$DAPR_JAVA_SDK_VERSION -DprocessDependencies=true
mvn versions:set-property -Dproperty=dapr.sdk.alpha.version -DnewVersion=$DAPR_JAVA_SDK_ALPHA_VERSION
mvn versions:set-property -Dproperty=dapr.sdk.version -DnewVersion=$DAPR_JAVA_SDK_VERSION
mvn versions:set-property -Dproperty=dapr.sdk.version -DnewVersion=$DAPR_JAVA_SDK_VERSION -f sdk-tests/pom.xml
+# BOM is standalone (no parent), so versions:set skips it — update it explicitly.
+mvn versions:set -DnewVersion=$DAPR_JAVA_SDK_VERSION -f sdk-bom/pom.xml
+mvn versions:set-property -Dproperty=dapr.sdk.version -DnewVersion=$DAPR_JAVA_SDK_VERSION -f sdk-bom/pom.xml
mvn versions:set-property -Dproperty=dapr.sdk.alpha.version -DnewVersion=$DAPR_JAVA_SDK_ALPHA_VERSION -f sdk-tests/pom.xml
diff --git a/README.md b/README.md
index 1916cf5d49..ff83b11242 100644
--- a/README.md
+++ b/README.md
@@ -59,31 +59,43 @@ For the full list of available APIs, see the [Dapr API reference](https://docs.d
If using [SDKMAN!](https://sdkman.io), execute `sdk env install` to install the required JDK.
### Importing Dapr's Java SDK
+
+#### Using the BOM (recommended)
+
+Import `dapr-sdk-bom` to manage all Dapr SDK versions and security-patched transitive dependencies in one place. This ensures your project inherits fixes for CVEs in transitive dependencies like Netty and Jackson.
+
For a Maven project, add the following to your `pom.xml` file:
```xml
...
+
+
+
+ io.dapr
+ dapr-sdk-bom
+ 1.18.0
+ pom
+ import
+
+
+
+
- ...
-
+
io.dapr
dapr-sdk
- 1.17.2
io.dapr
dapr-sdk-actors
- 1.17.2
io.dapr
dapr-sdk-springboot
- 1.17.2
- ...
...
@@ -91,15 +103,55 @@ For a Maven project, add the following to your `pom.xml` file:
For a Gradle project, add the following to your `build.gradle` file:
-```
+```groovy
dependencies {
-...
+ // Import the BOM
+ implementation platform('io.dapr:dapr-sdk-bom:1.18.0')
+
// Dapr's core SDK with all features, except Actors.
- compile('io.dapr:dapr-sdk:1.17.2')
+ implementation 'io.dapr:dapr-sdk'
// Dapr's SDK for Actors (optional).
- compile('io.dapr:dapr-sdk-actors:1.17.2')
+ implementation 'io.dapr:dapr-sdk-actors'
// Dapr's SDK integration with SpringBoot (optional).
- compile('io.dapr:dapr-sdk-springboot:1.17.2')
+ implementation 'io.dapr:dapr-sdk-springboot'
+}
+```
+
+#### Without the BOM
+
+If you prefer to manage versions manually, specify the version on each dependency:
+
+For Maven:
+```xml
+
+ ...
+
+
+ io.dapr
+ dapr-sdk
+ 1.17.2
+
+
+ io.dapr
+ dapr-sdk-actors
+ 1.17.2
+
+
+ io.dapr
+ dapr-sdk-springboot
+ 1.17.2
+
+
+ ...
+
+```
+
+For Gradle:
+```groovy
+dependencies {
+ implementation 'io.dapr:dapr-sdk:1.17.2'
+ implementation 'io.dapr:dapr-sdk-actors:1.17.2'
+ implementation 'io.dapr:dapr-sdk-springboot:1.17.2'
}
```
diff --git a/pom.xml b/pom.xml
index f4484aa3fc..262d0ffdda 100644
--- a/pom.xml
+++ b/pom.xml
@@ -727,6 +727,7 @@
+ sdk-bom
sdk-autogen
sdk
sdk-actors
diff --git a/sdk-bom/pom.xml b/sdk-bom/pom.xml
new file mode 100644
index 0000000000..03e44a0b5a
--- /dev/null
+++ b/sdk-bom/pom.xml
@@ -0,0 +1,235 @@
+
+ 4.0.0
+
+ io.dapr
+ dapr-sdk-bom
+ 1.18.0-SNAPSHOT
+ pom
+ dapr-sdk-bom
+ Dapr SDK Bill of Materials (BOM). Import this POM to manage versions
+ of all Dapr SDK modules and their security-critical transitive dependencies.
+ https://dapr.io
+
+
+
+ Apache License Version 2.0
+ https://opensource.org/licenses/Apache-2.0
+
+
+
+
+
+ Dapr
+ daprweb@microsoft.com
+ Dapr
+ https://dapr.io
+
+
+
+
+ https://github.com/dapr/java-sdk
+ scm:git:https://github.com/dapr/java-sdk.git
+ HEAD
+
+
+
+
+ ossrh
+ https://central.sonatype.com/repository/maven-snapshots/
+
+
+
+
+ true
+ 1.18.0-SNAPSHOT
+
+ 4.1.132.Final
+ 2.21.2
+
+ 1.26.0
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-site-plugin
+ 3.12.1
+
+ true
+
+
+
+ org.sonatype.plugins
+ nexus-staging-maven-plugin
+ 1.7.0
+ true
+
+ ossrh
+ https://ossrh-staging-api.central.sonatype.com
+ true
+
+
+
+ org.apache.maven.plugins
+ maven-gpg-plugin
+ 3.1.0
+
+
+ sign-artifacts
+ verify
+
+ sign
+
+
+
+ --batch
+ --pinentry-mode
+ loopback
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ io.dapr
+ dapr-sdk-autogen
+ ${dapr.sdk.version}
+
+
+ io.dapr
+ dapr-sdk
+ ${dapr.sdk.version}
+
+
+ io.dapr
+ dapr-sdk-actors
+ ${dapr.sdk.version}
+
+
+ io.dapr
+ dapr-sdk-workflows
+ ${dapr.sdk.version}
+
+
+ io.dapr
+ dapr-sdk-springboot
+ ${dapr.sdk.version}
+
+
+ io.dapr
+ testcontainers-dapr
+ ${dapr.sdk.version}
+
+
+ io.dapr
+ durabletask-client
+ ${dapr.sdk.version}
+
+
+
+
+
+
+ io.dapr.spring
+ dapr-spring-data
+ ${dapr.sdk.version}
+
+
+ io.dapr.spring
+ dapr-spring-6-data
+ ${dapr.sdk.version}
+
+
+ io.dapr.spring
+ dapr-spring-messaging
+ ${dapr.sdk.version}
+
+
+ io.dapr.spring
+ dapr-spring-workflows
+ ${dapr.sdk.version}
+
+
+ io.dapr.spring
+ dapr-spring-boot-properties
+ ${dapr.sdk.version}
+
+
+ io.dapr.spring
+ dapr-spring-boot-autoconfigure
+ ${dapr.sdk.version}
+
+
+ io.dapr.spring
+ dapr-spring-boot-4-autoconfigure
+ ${dapr.sdk.version}
+
+
+ io.dapr.spring
+ dapr-spring-boot-tests
+ ${dapr.sdk.version}
+
+
+ io.dapr.spring
+ dapr-spring-boot-starter
+ ${dapr.sdk.version}
+
+
+ io.dapr.spring
+ dapr-spring-boot-4-starter
+ ${dapr.sdk.version}
+
+
+ io.dapr.spring
+ dapr-spring-boot-starter-test
+ ${dapr.sdk.version}
+
+
+ io.dapr.spring
+ dapr-spring-boot-4-starter-test
+ ${dapr.sdk.version}
+
+
+
+
+
+
+ io.netty
+ netty-bom
+ ${netty.version}
+ pom
+ import
+
+
+ com.fasterxml.jackson
+ jackson-bom
+ ${jackson.version}
+ pom
+ import
+
+
+ org.apache.commons
+ commons-compress
+ ${commons-compress.version}
+
+
+ commons-codec
+ commons-codec
+ 1.17.2
+
+
+
+
+